Hi everyone,
someone is able to unpack the attached dll packed with ASPack 2.12?
thank's
ASPack dll
-
- n00b
- Posts:2
- Joined:Thu Dec 26, 2013 5:48 pm [phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1275: count(): Parameter must be an array or an object that implements Countable
- Cool_Fire
- Not a sandwich
- Posts:1913
- Joined:Fri May 09, 2003 1:20 pm
- Location:41 6d 73 74 65 72 64 61 6d
- Contact:
Re: ASPack dll
Aspack is just zip compression. In theory you should be able to dump the original binary with a debugger.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.
Hackerthreads chat, where the party is going 24/7.
-
- n00b
- Posts:2
- Joined:Thu Dec 26, 2013 5:48 pm [phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1275: count(): Parameter must be an array or an object that implements Countable
Re: ASPack dll
thank's,
I am a newbie, could you help me in any way (tutorial or just do it for me)? Many thank's.
The DLL is ApexSqlLog2013Activation.dll (you could download apexsql log)
I am a newbie, could you help me in any way (tutorial or just do it for me)? Many thank's.
The DLL is ApexSqlLog2013Activation.dll (you could download apexsql log)
- Cool_Fire
- Not a sandwich
- Posts:1913
- Joined:Fri May 09, 2003 1:20 pm
- Location:41 6d 73 74 65 72 64 61 6d
- Contact:
Re: ASPack dll
You'll have to dive into the specifics on what ASPack does exactly (If it write a file, you can just copy that at runtime, but odds are it will not.)
Most likely it'll keep unzip the original executable in the data segment (an executable data segment is a dead giveaway for this). Then all you have to do is attach you favorite debugger, break on the condition of EIP jumping to an address in your data segment and then just dump the data segment to disk. (The specifics of how to do each of these steps are in the documentation for your debugger of choice. I've done this whole thing with GDB before)
Most likely it'll keep unzip the original executable in the data segment (an executable data segment is a dead giveaway for this). Then all you have to do is attach you favorite debugger, break on the condition of EIP jumping to an address in your data segment and then just dump the data segment to disk. (The specifics of how to do each of these steps are in the documentation for your debugger of choice. I've done this whole thing with GDB before)
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.
Hackerthreads chat, where the party is going 24/7.
- Cool_Fire
- Not a sandwich
- Posts:1913
- Joined:Fri May 09, 2003 1:20 pm
- Location:41 6d 73 74 65 72 64 61 6d
- Contact:
Re: ASPack dll
On the specific subject of finding out what it's doing, have a look at http://msdn.microsoft.com/en-us/library ... s.85).aspx
Looking at what system calls it makes should give you some clues as to how it operates. If it's writing some file and then executing it for example, you're probably dealing with a situation where it unzips, writes to disks and then executes the original file.
Looking at what system calls it makes should give you some clues as to how it operates. If it's writing some file and then executing it for example, you're probably dealing with a situation where it unzips, writes to disks and then executes the original file.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.
Hackerthreads chat, where the party is going 24/7.
- Fatal_Exception
- Strike 1
- Posts:138
- Joined:Sat Dec 27, 2003 4:52 pm
- Location:127.0.0.1
- Contact:
Re: ASPack dll
You could also try to use
Process Explorer : http://technet.microsoft.com/en-us/s.../bb896653.aspx
Process Monitor : http://technet.microsoft.com/en-us/s.../bb896645.aspx
Here is a walkthrough on unpacking ASPack.dll
http://blog.3slabs.com/2012/09/unpackin ... namic.html
Process Explorer : http://technet.microsoft.com/en-us/s.../bb896653.aspx
Process Monitor : http://technet.microsoft.com/en-us/s.../bb896645.aspx
Here is a walkthrough on unpacking ASPack.dll
http://blog.3slabs.com/2012/09/unpackin ... namic.html
Did you know that there are over 2 million people addicted to warez? I'm #323,097!